b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\nAudit Report\n\n\n       EPA\xe2\x80\x99s Office of Research and\n       Development Could Better Use the\n       Federal Managers\xe2\x80\x99 Financial Integrity Act\n       to Improve Operations\n\n       Report No. 09-P-0232\n\n       September 15, 2009\n\x0cReport Contributors:                              Patrick Gilbride\n                                                  Erin Barnes-Weaver\n                                                  Karen L. Hamilton\n                                                  Bryan Holtrop\n                                                  Alicia Mariscal\n                                                  Mary Anne Strasser\n\n\n\n\nAbbreviations\n\nBOSC           Board of Scientific Counselors\nEPA            U.S. Environmental Protection Agency\nFMFIA          Federal Managers\xe2\x80\x99 Financial Integrity Act\nFY             Fiscal Year\nGAO            Government Accountability Office\nGPRA           Government Performance and Results Act\nIRIS           Integrated Risk Information System\nNHEERL         National Health and Environmental Effects Research Laboratory\nOCFO           Office of the Chief Financial Officer\nOIG            Office of Inspector General\nOMB            Office of Management and Budget\nORD            Office of Research and Development\nPART           Program Assessment Rating Tool\n\n\n\n\nCover photo:     A photo montage of EPA Office of Research and Development National\n                 Health and Environmental Effects Research Laboratory facilities\n                 geographically dispersed across the United States (EPA photos).\n\x0c                       U.S. Environmental Protection Agency                                               09-P-0232\n                                                                                                  September 15, 2009\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                           Catalyst for Improving the Environment\n\n\nWhy We Did This Review            EPA\xe2\x80\x99s Office of Research and Development Could\nWe conducted this audit to\n                                  Better Use the Federal Managers\xe2\x80\x99 Financial Integrity\ndetermine whether the U.S.        Act to Improve Operations\nEnvironmental Protection\nAgency (EPA) Office of             What We Found\nResearch and Development\n(ORD) fully integrated the        ORD\xe2\x80\x99s management integrity program is inconsistent with Agency FMFIA\nFederal Managers\xe2\x80\x99 Financial       guidance. ORD approaches FMFIA as an administrative reporting activity rather\nIntegrity Act (FMFIA) into        than an opportunity to evaluate and report on research program performance. As\nprogram operations. We            a result, ORD has not:\nasked whether ORD has a\nsystematic strategy to                \xe2\x80\xa2   Conducted a comprehensive risk assessment,\nestablish, review, and monitor        \xe2\x80\xa2   Included National Program Directors in the FMFIA process,\ninternal controls, and what           \xe2\x80\xa2   Developed and implemented a strategy to establish and evaluate the\nORD\xe2\x80\x99s strategy should contain             effectiveness of internal controls over research programs,\nto account for risks in meeting       \xe2\x80\xa2   Provided FMFIA training to managers and staff, and\nprogram goals.                        \xe2\x80\xa2   Included relevant risk and program performance information in assurance\n                                          letters.\nBackground\n                                  EPA Order 1000.24 requires all organizations to systematically review and assess\nFMFIA requires federal            the effectiveness of internal controls consistent with GAO internal control\nmanagers to improve the           standards. The Order gives program managers flexibility in designing review\naccountability and                strategies. While ORD\xe2\x80\x99s largest lab, the National Health and Environmental\neffectiveness of federal          Effects Research Laboratory (NHEERL), informally identifies program risks,\nprograms by establishing,         neither ORD nor NHEERL conducts internal control risk assessments on which to\nassessing, correcting, and        base a program review strategy. Applying FMFIA as intended would help EPA\nreporting on internal control.    achieve its mission and program results through improved accountability.\nFMFIA also requires federal\nmanagers to annually evaluate     ORD\xe2\x80\x99s Administrative Efficiencies Project management integrity workgroup has\ntheir agencies\' compliance        initiated actions that we believe will address our findings, such as developing a\nwith Government                   draft multi-year review strategy. In developing its new strategy, ORD should\nAccountability Office (GAO)       include programmatic elements, a training plan, pertinent results from peer\ninternal control standards.       reviews, and best practices to ensure more effective FMFIA implementation.\n\nFor further information,           What We Recommend\ncontact our Office of\nCongressional, Public Affairs\nand Management at                 We recommend that ORD (1) conduct a risk assessment using GAO standards and\n(202) 566-2391.                   develop a comprehensive risk-based program review strategy; (2) develop\n                                  comprehensive, tiered FMFIA training for managers and staff; and (3) revise its\nTo view the full report,          management integrity program to include programmatic operations. ORD agreed\nclick on the following link:\nwww.epa.gov/oig/reports/2009/     with our recommendations and has initiated corrective actions that we believe\n20090915-09-P-0232.pdf            address the intent of our recommendations.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n                                       September 15, 2009\n\nMEMORANDUM\n\nSUBJECT:               EPA\xe2\x80\x99s Office of Research and Development Could Better Use the\n                       Federal Managers\xe2\x80\x99 Financial Integrity Act to Improve Operations\n                       Report No. 09-P-0232\n\n\nFROM:                  Melissa M. Heist\n                       Assistant Inspector General for Audits\n\nTO:                    Lek Kadeli\n                       Acting Assistant Administrator\n                       Office of Research and Development\n\n\nThe Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA)\nconducted this report on the subject audit. This report contains findings that describe problems\nwe identified and corrective actions we recommend. This report represents our opinion and does\nnot necessarily represent the final EPA position. EPA managers will make final determinations\non matters in this report in accordance with established audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $515,790.\n\nAction Required\n\nOn September 4, 2009, your office provided comments to our report that included a corrective\naction plan with milestone dates. We believe your planned corrective actions address the intent\nof each of our recommendations. As such, we plan to close this assignment upon issuance of this\nfinal report. We have no objections to the further release of this report to the public. This report\nwill be available at http://www.epa.gov/oig.\n\nWe appreciate the efforts of your staff in working with us during the course of our audit. If you\nor your staff has any questions regarding this report, please contact me at (202) 566-0899 or\nheist.melissa@epa.gov; or Patrick Gilbride, Director, Risk and Program Performance Issues, at\n(303) 312-6969 or gilbride.patrick@epa.gov.\n\x0cEPA\xe2\x80\x99s Office of Research and Development Could Better Use the                                                                 09-P-0232\nFederal Managers\xe2\x80\x99 Financial Integrity Act to Improve Operations\n\n\n\n                                    Table of Contents\n\nChapters\n   1   Introduction .................................................................................................................      1\n\n         Purpose ......................................................................................................................   1\n         Background ................................................................................................................      1\n         Noteworthy Achievements..........................................................................................                4\n         Scope and Methodology ............................................................................................               5\n\n   2   Opportunities Exist for ORD to Better Use the\n       FMFIA Process to Improve Programmatic Operations............................................                                       6\n\n         Management Integrity Program Inconsistent with FMFIA Guidance ..........................                                          6\n         Management Integrity Strategy Should Include Program Elements...........................                                         13\n         Conclusion .................................................................................................................     16\n         Recommendations .....................................................................................................            16\n         Agency Comments and OIG Evaluation.....................................................................                          17\n\n   Status of Recommendations and Potential Monetary Benefits.................................... 18\n\n\n\nAppendices\n   A     Organization of EPA ORD........................................................................................ 19\n\n   B     Details on Scope and Methodology........................................................................ 21\n\n   C     Agency Response to Draft Report.......................................................................... 23\n\n   D     Distribution ............................................................................................................... 28\n\x0c                                                                                   09-P-0232\n\n\n\n\n                                Chapter 1\n                                 Introduction\n\nPurpose\n          The Office of Inspector General (OIG) reviewed implementation of the Federal\n          Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) within the Office of Research and\n          Development (ORD), the scientific research arm of the U.S. Environmental\n          Protection Agency (EPA). We sought to determine whether ORD fully integrated\n          FMFIA into programmatic operations. We examined ORD using its largest lab,\n          the National Health and Environmental Effects Research Laboratory (NHEERL),\n          as our example. Our objectives were to determine:\n\n          \xe2\x80\xa2   Whether ORD has a systematic strategy to establish, review, and monitor\n              internal controls.\n          \xe2\x80\xa2   What ORD\'s internal control strategy should contain to account for risks in\n              meeting program goals.\n\nBackground\n          EPA\xe2\x80\x99s Office of Research and Development\n\n          ORD is EPA\'s lead office for the production, review, and integration of scientific\n          and technical knowledge into environmental protection policies and regulations.\n          ORD has seven laboratories and centers across the country, with ORD\n          headquarters in Washington, DC, and main research facilities in Ohio and North\n          Carolina. NHEERL is ORD\xe2\x80\x99s largest individual laboratory, accounting for\n          21 percent of ORD\xe2\x80\x99s Fiscal Year (FY) 2008 budget and 33 percent of its\n          authorized full-time staff. NHEERL has division and field office laboratories in\n          eight locations and ecological environments across the country.\n\n          To provide the leadership to accomplish ORD\xe2\x80\x99s strategic goals, ORD created an\n          Executive Council, consisting of senior management, to make corporate\n          decisions. ORD instituted a strategic multi-year planning process to guide the\n          direction of ORD\xe2\x80\x99s research to focus on EPA\'s highest priority science needs.\n          National Program Directors lead development of multi-year plans with\n          involvement by staff and managers. There are no direct lines of authority\n          between National Program Directors and lab, center, and office directors as both\n          positions report to the Assistant Administrator. ORD confirms the relevancy and\n          credibility of its science through program reviews by the Board of Scientific\n          Counselors (BOSC). ORD aligned BOSC reviews to meet the structure of\n          reviews conducted under the Office of Management and Budget (OMB) Program\n          Assessment Rating Tool (PART).\n\n\n\n                                           1\n\x0c                                                                               09-P-0232\n\n\nORD issued a policy in November 2006 on how ORD implements FMFIA.\nORD\xe2\x80\x99s Assistant Administrator has responsibility for implementing FMFIA.\nAdditional responsibilities lie with lab and center directors and deputy directors.\nAn ORD Management Integrity Advisor coordinates activities such as the\nassurance letter process. The Advisor works with designated Management\nIntegrity Coordinators within ORD\xe2\x80\x99s seven labs and centers. According to ORD\xe2\x80\x99s\npolicy, National Program Directors do not have a role in the management integrity\nprocess. See Appendix A for more details on ORD\xe2\x80\x99s organizational structure.\n\nManagement Integrity Guidance\n\nFMFIA requires federal managers to improve the accountability and\neffectiveness of federal programs and operations by establishing, assessing,\ncorrecting, and reporting on internal control. Federal managers must also\ndevelop and maintain internal control to achieve: (1) effective and efficient\noperations; (2) reliable financial reporting; and (3) compliance with applicable\nlaws and regulations per OMB Circular A-123, Management\xe2\x80\x99s Responsibility\nfor Internal Control (revised). Effective internal control is a key factor in\nachieving agency missions and program results.\n\nThe Federal Government has implemented several initiatives, such as the\nGovernment Performance and Results Act of 1993 (GPRA) and PART, to\nimprove program management. Activities conducted as part of these initiatives\nsupport an agency\xe2\x80\x99s overall internal control framework. Figure 1.1 illustrates\nhow FMFIA serves as an umbrella under which agencies should coordinate\ninternal control efforts.\nFigure 1.1: FMFIA Internal Control Framework\n\n\n\n\nSource: EPA training, EPA Internal Control and Management Integrity: Make It\nSecond Nature, issued (via EPA\xe2\x80\x99s Intranet) on May 28, 2008 (slide 11 of 21).\n\n\n\n                                      2\n\x0c                                                                                   09-P-0232\n\n\nFMFIA requires federal managers to annually evaluate their agency\'s compliance\nwith Government Accountability Office (GAO) Standards for Internal Control in\nthe Federal Government, shown in Table 1.1, and issue a statement indicating full\ncompliance or noncompliance. The standards provide the overall framework for\nestablishing and maintaining internal controls, and for identifying and addressing\nmajor performance and management challenges and areas at greatest risk of fraud,\nwaste, abuse, and mismanagement. The standards comprise a major part of\nmanaging an organization.\n\nTable 1.1: GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n      Control       This standard establishes and maintains an environment throughout\n   Environment      the organization that sets a positive and supporting attitude toward\n                    internal control and conscientious management. This includes\n                    establishing goals, objectives, and performance measures at the entity\n                    and activity level.\n       Risk         Once the goals, objectives, and measures have been defined, the risks\n   Assessment       that could impede efficiently and effectively achieving those objectives\n                    are identified. This includes assessing risks the agency faces from\n                    both internal and external sources. Risk assessment includes\n                    identifying and analyzing risks associated with achieving objectives\n                    defined in strategic and annual performance plans developed under\n                    GPRA, and form a basis for determining how to manage risks.\n                    Management needs to comprehensively identify risks and should\n                    consider all significant interactions between the entity and other parties\n                    as well as internal factors at both the entity-wide and activity levels.\n      Control       These are the policies, procedures, techniques, and mechanisms that\n     Activities     implement management\xe2\x80\x99s direction to achieving goals. Internal control\n                    activities help ensure that management\xe2\x80\x99s directives are carried out.\n Information and This standard includes data and information (performance and\n Communications financial) to determine whether the organization meets its goals and\n                    objectives and maintains accountability over resources.\n    Monitoring      Internal control monitoring should assess the quality of performance\n                    over time and ensure that audits and other review findings are\n                    promptly resolved.\nSource: OIG\xe2\x80\x99s Summary of GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government,\nGAO/AIMD-00-21.3.1 (November 1999).\n\nTo implement FMFIA and OMB Circular A-123, EPA issued Order 1000.24,\nManagement\xe2\x80\x99s Responsibility for Internal Control. The Order:\n\n\xe2\x80\xa2   Prescribes policies, procedures, and standards for internal controls at EPA;\n\xe2\x80\xa2   Outlines Agency senior managers\xe2\x80\x99 roles and responsibilities for developing,\n    implementing, assessing, documenting, improving, and reporting on internal\n    controls;\n\xe2\x80\xa2   Incorporates specific requirements for assessing internal controls over\n    financial reporting; and\n\xe2\x80\xa2   Provides tools to help managers monitor both overall program progress and\n    the effectiveness of day-to-day operations.\n\n\n\n\n                                     3\n\x0c                                                                                 09-P-0232\n\n\n         In accordance with the Order, the Office of the Chief Financial Officer (OCFO)\n         issues annual guidance to program and regional offices on complying with\n         FMFIA. This guidance includes a reporting template with specific instructions\n         for completing assurance letters. Assurance letters provide the results of the\n         internal control assessment and an overall statement to the Administrator on the\n         adequacy of controls for the organization. In 2008 OCFO also developed an\n         Intranet training to increase understanding of internal controls, titled EPA\n         Awareness Training for Internal Controls and Management Integrity, although\n         OCFO did not mandate that all EPA staff complete the course. OCFO annually\n         collects all program and regional office assurance letters and compiles a single\n         draft assurance letter for the Administrator to review and sign.\n\n         EPA\xe2\x80\x99s Order also requires managers to develop and implement a strategy that\n         defines how they use sources of program management information to provide the\n         basis for their annual assurance letters. The systematic review strategy should be\n         consistent with and integrate Agency-wide processes used to develop and report\n         on program performance measures and results required under GPRA. Examples\n         of sources of program management information include: OIG and GAO reports,\n         internal and external program evaluations, audits and reviews conducted under the\n         Chief Financial Officers Act and GPRA, PART, and other reviews. The Order\n         recommends that program managers use GAO\xe2\x80\x99s five internal control standards\n         when developing a review strategy as the basis for determining the need for and\n         design of an internal control and how well it functions.\n\n         EPA also issued a 1996 publication, Management Integrity at EPA - A Manager\xe2\x80\x99s\n         \xe2\x80\x9cHow To\xe2\x80\x9d Guide for Program Reviews: Seeing the Forest and the Trees. The\n         guide introduced the Agency\xe2\x80\x99s 10 management integrity principles and noted that\n         managers often miss the essence of internal controls and FMFIA:\n\n                In complying with FMFIA, many Federal managers historically\n                never saw the \xe2\x80\x9cBig Picture.\xe2\x80\x9d Most focused on filling out\n                checklists and performing other routine compliance tests, rather\n                than considering management controls in light of broader program\n                issues and EPA\xe2\x80\x99s overall mission. In short, they got lost in the\n                trees and never saw the forest!\n\nNoteworthy Achievements\n         ORD re-engineered its management integrity function through its Administrative\n         Efficiencies Project. This effort focused on improving administrative and\n         financial internal controls, including how ORD might conduct a formal risk-based\n         assessment of those controls. This effort\xe2\x80\x99s management integrity workgroup is\n         also considering a separate \xe2\x80\x9cscientific\xe2\x80\x9d or programmatic track for assessing\n         internal control.\n\n\n\n\n                                          4\n\x0c                                                                                                   09-P-0232\n\n\n                ORD engaged the National Academy of Sciences to evaluate its research program\n                effectiveness in a report, Evaluating Research Efficiency in the U.S.\n                Environmental Protection Agency (published in 2008), which significantly altered\n                the dialogue and approach to efficiency measurement.\n\n                ORD and NHEERL undergo many external peer reviews to maintain a high level\n                of credibility. The Science Advisory Board reviews the quality and relevance of\n                scientific and technical information used or proposed as the basis for Agency\n                regulations. BOSC evaluates and reviews scientific research programs, plans, and\n                laboratories (and related management practices) and recommends improvement\n                actions. Since FY 2008, NHEERL has conducted management systems reviews\n                in lieu of traditional divisional reviews as a cost saving effort.\n\nScope and Methodology\n\n                We conducted our audit from July 2008 through April 2009 in accordance with\n                generally accepted government auditing standards. Those standards require that\n                we plan and perform the audit to obtain sufficient, appropriate evidence to\n                provide a reasonable basis for our findings and conclusions based on our audit\n                objectives.1 We believe that the evidence obtained provides a reasonable basis for\n                our findings and conclusions based on our audit objectives.\n\n                We focused our evaluation on ORD\xe2\x80\x99s headquarters office in Washington, DC, and\n                NHEERL facilities located in Raleigh, North Carolina, and Corvallis and\n                Newport, Oregon. We reviewed and analyzed EPA and ORD management\n                integrity policies, procedures, and FMFIA guidance; ORD\xe2\x80\x99s budget and\n                expenditure data; and FYs 2007 and 2008 FMFIA assurance letters. We\n                interviewed ORD and NHEERL personnel at various levels of responsibility.\n                We conducted site visits to NHEERL and its Western Ecology Division, including\n                tours of several laboratories. We benchmarked risk assessment methods used by\n                others in the public sector, as well as the FMFIA process at eight other federal\n                agencies. We reviewed NHEERL-related internal/external peer reviews to\n                determine the extent to which they addressed internal controls. Appendix B\n                provides additional information on our scope and methodology.\n\n\n\n\n1\n  In the course of performing our field work, we identified findings applicable outside of ORD-NHEERL. In\nFebruary and March 2009 we expanded our field work to include reviewing assurance letters and FMFIA processes\nin four regions and two program offices. In August 2009, we issued a report to OCFO on the Agency\xe2\x80\x99s management\nintegrity program, summarizing examples from the regions and program offices we reviewed.\n\n\n                                                      5\n\x0c                                                                                   09-P-0232\n\n\n\n\n                                Chapter 2\n    Opportunities Exist for ORD to Better Use the\n FMFIA Process to Improve Programmatic Operations\n          ORD\xe2\x80\x99s management integrity program is inconsistent with Agency FMFIA\n          guidance. Currently, ORD approaches FMFIA as an administrative reporting\n          activity rather than an opportunity to evaluate and report on research program\n          performance. As a result, ORD has not:\n\n             \xe2\x80\xa2   Conducted a comprehensive risk assessment,\n             \xe2\x80\xa2   Included National Program Directors in the FMFIA process,\n             \xe2\x80\xa2   Developed and implemented a strategy to establish and evaluate the\n                 effectiveness of internal controls over research programs,\n             \xe2\x80\xa2   Provided FMFIA training to managers and staff to assess program\n                 performance, and\n             \xe2\x80\xa2   Included relevant risk and program performance information in assurance\n                 letters.\n\n          EPA Order 1000.24 requires all organizations to systematically review and assess\n          the effectiveness of internal controls consistent with GAO internal control\n          standards. The Order gives program managers flexibility in designing review\n          strategies. While NHEERL, ORD\xe2\x80\x99s largest lab, informally identifies program\n          risks, neither ORD nor NHEERL conducts internal control risk assessments on\n          which to base a program review strategy. Applying FMFIA as intended would\n          help EPA achieve its mission and program results through improved\n          accountability.\n\nManagement Integrity Program Inconsistent with FMFIA Guidance\n          ORD Has Not Conducted a Comprehensive Internal Control\n          Risk Assessment\n\n          ORD has not conducted a formal risk assessment for identifying and analyzing\n          risks for possible effects in program operations. OMB Circular A-123 states that\n          managers should perform risk assessments to identify significant areas within\n          which to place or enhance internal control. The Circular describes risk\n          assessment as a critical step in the process to determine the extent of controls.\n\n          While ORD has not assessed risk, NHEERL and its Western Ecology Division\n          have informally assessed their program risks, as shown in Table 2.1.\n\n\n\n\n                                           6\n\x0c                                                                               09-P-0232\n\n\nTable 2.1: Program Risks\n                                                                               Western\n                                                                               Ecology\n                        Identified Program Risks                    NHEERL     Division\n 1.   Inability to quickly respond to changing priorities.            X           X\n 2.   Imbalance of breadth and depth in research program.             X           X\n 3.   Difficulty in building/maintaining research collaborations.     X           X\n 4.   Inability to meet commitments in face of declining              X           X\n      resources.\n 5.   Inadequate safeguards to ensure that Agency decisions are       X              X\n      supported by the highest quality science.\n 6.   Unclear priorities.                                                            X\n 7.   Mismatch of skill mix.                                                         X\n 8.   Difficulty in building and maintaining partnerships with                       X\n      program offices and regions.\nSource: NHEERL and Western Ecology Division presentations to OIG in November 2008.\n\n\nNHEERL conducts quality assurance, peer review, and accountability reviews\nthat it believes address three of the five risks identified. However, NHEERL\nidentified these risks based on management\xe2\x80\x99s judgment subsequent to initiating\nthese reviews and did not assess the effectiveness of internal controls.\n\nORD Does Not Include National Program Directors in the FMFIA\nProcess\n\nORD\xe2\x80\x99s process to evaluate risks and assign priority does not involve National\nProgram Directors. These directors lead development of ORD\xe2\x80\x99s multi-year plans\nthat tie to the strategic plan and EPA\xe2\x80\x99s mission, so internal control risk\nassessments should focus on impediments to multi-year plans. Some of the\ndirectors we interviewed said that individual lab research priorities did not\nnecessarily align with multi-year plan priorities. Further, even though directors\nplay a significant role in directing and ensuring that ORD achieves its mission,\nORD has not involved them in evaluating internal controls, implementing the\nmanagement integrity program, or preparing FMFIA assurance letters.\n\nLab and center directors told us ORD should involve National Program Directors\nin the FMFIA process but were unsure how to do so given ORD\xe2\x80\x99s matrix structure.\nThis structure separates program performance aspects such as PART and GPRA\nfrom FMFIA and provides no clear link between required annual reports. EPA\nOrder 1000.24 addresses program managers\xe2\x80\x99 responsibility for internal controls,\nincluding GPRA performance measures. The Order also specifies that any review\nstrategy be consistent with Agency processes for GPRA reporting.\n\nORD\xe2\x80\x99s organizational structure sets boundaries for what National Program\nDirectors can do in regards to implementing research assigned to lab and center\ndirectors. While National Program Directors develop research plans, reviews, and\nbudgets, they do not oversee day-to-day operations including spending and\nstaffing. Without additional involvement, National Program Directors cannot\nevaluate a research program\xe2\x80\x99s internal controls. In our interviews, directors\n\n\n                                     7\n\x0c                                                                         09-P-0232\n\n\ndescribed difficulties encountered while managing their research programs, such\nas limited access to information on funding spent against the budget and staff time\ncharges to research programs. They also indicated they could benefit from\nimproved communication and coordination with labs, centers, and offices to\nensure consensus on prioritizing, implementing, and managing research programs.\n\nORD Has Not Developed a Program Review Strategy\n\nORD has not developed a strategy to systematically review and assess the\neffectiveness of internal control for program operations. EPA Order 1000.24\nstates that program managers should develop a strategy for systematically\nreviewing and assessing the effectiveness of internal controls; detecting\nweaknesses and deficiencies; and providing a sound, documented basis for the\nassurance letter to the Administrator. OCFO\xe2\x80\x99s FY 2008 management integrity\nguidance requires that annual assurance letters describe the organization\'s review\nstrategy for assessing how well internal controls over program operations\n(guidance, procedures, and policies) protect against fraud, waste, abuse, and\nmismanagement.\n\nORD managers annually require labs and centers to design a review strategy that\nmeets program needs and conduct internal control reviews. However we did not\nfind any evidence that these activities took place for research programs. Our\ninterviews with ORD and NHEERL staff, as well as our review of ORD\xe2\x80\x99s and\nNHEERL\xe2\x80\x99s FY 2008 assurance letters, confirmed this. ORD states in its FY 2008\nassurance letter that \xe2\x80\x9cORD conducted more than 38 management reviews of the\nfollowing areas: extramural (assistance agreements, interagency agreements,\ncontracts, simplified acquisitions), purchase cards, property, funds control and\nflexiplace.\xe2\x80\x9d Management reviews focused on administrative and financial\nactivities, not program operations.\n\nORD managers agreed that their FY 2008 assurance letter did not discuss a\nprogram review strategy or describe how it reviewed principal research programs.\nORD stated it believed \xe2\x80\x9cExamples exist in the assurance letter of how ORD\napproached the review of some of its programs, for example the approach for\naddressing the Agency\xe2\x80\x99s (and ORD\xe2\x80\x99s) Biofuels Strategy.\xe2\x80\x9d However ORD did not\nbase this process on a comprehensive risk assessment, did not report on internal\ncontrol effectiveness, and may not have provided a sound basis for the Assistant\nAdministrator to assert compliance with FMFIA.\n\nIn August 2008, ORD organized a management integrity workgroup as part of its\nAdministrative Efficiencies Project. ORD charged this workgroup with\ndeveloping a plan for conducting a management integrity line of business as an\nORD-wide function. ORD said the workgroup will coordinate various programs\nthat support management integrity into standard ORD operating principles. We\nreviewed ORD\xe2\x80\x99s draft strategy and do not believe that it addresses programmatic\ncontrols.\n\n\n\n                                 8\n\x0c                                                                                                   09-P-0232\n\n\n                ORD Relies on Limited OCFO Guidance\n\n                ORD relies on OCFO guidance that does not focus on program operations for\n                reporting internal controls. Further, ORD did not change the composition of its\n                assurance letter between 2007 and 2008 to reflect changes in OCFO guidance.\n                OCFO\xe2\x80\x99s FY 2008 guidance:\n\n                     \xe2\x80\xa2   Required a more rigorous review of the Agency\xe2\x80\x99s internal controls against\n                         GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government.\n                     \xe2\x80\xa2   Required offices to document their approach to programmatic internal\n                         control reviews in assurance letters.\n                     \xe2\x80\xa2   Included an Internal Control Evaluation Checklist as an attachment to\n                         provide a basis on which to evaluate internal controls and to use the\n                         checklist to assess the effectiveness of programmatic internal controls.\n\n                OCFO believed its FY 2008 guidance improved reporting on internal control\n                effectiveness of program operations. However, the OCFO letter template focused\n                on administrative and financial reporting.2 ORD did not follow any strategy or\n                report additional information on internal controls beyond what OCFO specified in\n                its template.\n\n                ORD staff told us they found OCFO\xe2\x80\x99s 2008 guidance confusing in several areas.\n                For example, staff could not discern whether ORD should report the occurrence\n                or results of program reviews. Staff also said OCFO\xe2\x80\x99s guidance was not specific\n                and did not always tie in to EPA Order 1000.24.\n\n                ORD\xe2\x80\x99s lab and center Management Integrity Coordinators rely on FMFIA\n                guidance disseminated by ORD after it receives OCFO\xe2\x80\x99s annual guidance.\n                However, ORD did not disseminate all guidance it received from OCFO in\n                FY 2008. ORD did not disseminate the checklist until OCFO initiated its\n                FY 2009 assurance letter process; 83 percent of Management Integrity\n                Coordinators interviewed said they had not seen the checklist before this year.\n                We also noted that OCFO\xe2\x80\x99s FY 2008 guidance and ORD\xe2\x80\x99s assurance letter\n                contained the subject heading Internal Control Review Strategy while NHEERL\xe2\x80\x99s\n                assurance letter did not, because the guidance ORD provided to labs and centers\n                did not include that subject heading as a reporting requirement.\n\n                In addition, we found that ORD\xe2\x80\x99s 2006 Management Integrity Policy, a\n                supplement to EPA\xe2\x80\x99s guidance, was inconsistent with FMFIA guidance because it\n                did not cite GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government.\n                The policy also referenced out-of-date information, such as older versions of both\n                OMB A-123 and EPA Order 1000.24. ORD staff indicated that its Management\n                Integrity Workgroup plans to revise ORD\xe2\x80\x99s policy to include updated guidance.\n\n\n2\n We issued a report to OCFO in August 2009 describing our concerns on the administrative focus of FMFIA\nguidance.\n\n\n                                                      9\n\x0c                                                                                   09-P-0232\n\n\nORD Managers and Staff Need Additional Training on Internal\nControl Standards\n\nORD personnel gain knowledge of FMFIA and internal controls largely through\non-the-job-training and did not receive sufficient additional training on evaluating\ninternal controls. Inadequate understanding of the internal control process\nresulted in ORD relegating FMFIA to a yearly administrative reporting activity.\nORD managers and staff responsible for FMFIA receive no training on GAO\xe2\x80\x99s\nfive internal control standards or how to ensure research programs meet standards.\nGAO\xe2\x80\x99s standards provide the overall framework for establishing and maintaining\ninternal control, and for identifying and addressing major performance and\nmanagement challenges. None of ORD\xe2\x80\x99s lab and center directors could say that\ntheir assurance letters addressed internal control standards. Three of seven\nManagement Integrity Coordinators said they addressed all five standards\nthroughout their letters while the remaining four acknowledged that their letters\ndid not do so. Only four of seven coordinators were aware of GAO\xe2\x80\x99s standards,\nwhile only two of seven were familiar with GAO\xe2\x80\x99s evaluation tool/checklist.\nFigure 2.1 illustrates coordinators\xe2\x80\x99 awareness of management integrity guidance.\n\nFigure 2.1: Awareness by Management Integrity Coordinators of FMFIA Guidance\n\n\n\n                  EPA "How To" Guide\n\n\n                   GAO Tool/Checklist\n FMFIA Guidance\n\n\n\n\n                  GAO Internal Control\n                     Standards\n\n                      EPA Awareness\n                         Training\n\n                  OMB Circular A-123\n\n\n                   EPA Order 1000.24\n\n                                     0%    20%       40%       60%           80%     100%\n\n                                          Percentage of MICs Aware of Guidance\n\nSource: OIG analysis of interviews with Management Integrity Coordinators.\n\nManagers and staff interviewed said they did not consider results of program\nreviews, such as GPRA performance measures, PART, and peer reviews relevant\nfor FMFIA purposes. However, FMFIA guidance, including OMB Circular\nA-123, emphasizes the importance of integrating these reviews into the FMFIA\nprocess. Several coordinators interviewed said their FMFIA reporting activities\nfocused entirely on administrative activities with no linkage between program\nreview information and FMFIA. All of ORD\xe2\x80\x99s coordinators \xe2\x80\x93 and several\nmanagers \xe2\x80\x93 said that additional training on FMFIA would be helpful. One ORD\n\n\n\n                                           10\n\x0c                                                                          09-P-0232\n\n\nmanager suggested that EPA develop tiered training, with one tier for senior\nmanagers on understanding controls and FMFIA and another for management\nintegrity staff on the "nuts and bolts" of implementing and reporting on controls.\nWe believe ORD\xe2\x80\x99s FMFIA training should also include coverage of all key\nguidance documents, such as EPA Order 1000.24.\n\nORD managers agree on the need to conduct internal control training at all levels\nwithin the organization. However, ORD\xe2\x80\x99s Draft Multi-Year Program Review\nStrategy did not elaborate on a specific training plan. ORD states that it will\nperiodically train all key personnel involved in the internal control process and\nwork with the Agency to identify appropriate training for staff. ORD should\nidentify areas of strength and weakness among its staff and, in turn, tailor its\ntraining around those needs. Coordinators interviewed suggested ORD develop\ntraining that includes:\n\n   \xe2\x80\xa2   Internal controls,\n   \xe2\x80\xa2   An ORD-specific template for reporting,\n   \xe2\x80\xa2   Best practices/lessons learned,\n   \xe2\x80\xa2   Risk assessment requirements, and\n   \xe2\x80\xa2   Training unique to managers on their FMFIA responsibilities and internal\n       controls.\n\nWithout comprehensive and up-to-date training, personnel may not be qualified to\nassess performance of programmatic operations.\n\nAssurance Letters Omitted Program Risk and Performance\nInformation\n\nORD, NHEERL, and the Office of Science Policy\xe2\x80\x99s FY 2008 assurance letters did\nnot document results of relevant program reviews conducted by organizations\nexternal to ORD. EPA Order 1000.24 provides several examples of program\nmanagement information to incorporate into assurance letters, including\nmanagement reviews, OIG and GAO reports, program evaluations, and other\naudits and reviews such as GPRA. Examples of program risk and performance\ninformation omitted from assurance letters follow in Table 2.2.\n\n\n\n\n                                 11\n\x0c                                                                                                  09-P-0232\n\n\n                Table 2.2: Examples of Information Omitted from Assurance Letters\n                  ORD\n                  \xe2\x80\xa2 ORD\xe2\x80\x99s FMFIA strategy and FY 2008 assurance letter did not address how ORD\n                     developed and implemented performance goals and measures to comply with\n                     GPRA and PART requirements. ORD described this internal control system in its\n                     \xe2\x80\x9cAccountability Handbook for Performance Measurement\xe2\x80\x9d (dated August 2007) and\n                     in Section 5.2 (\xe2\x80\x9cORD Performance Measure Tracking\xe2\x80\x9d) of ORD\xe2\x80\x99s Policies and\n                     Procedures Manual.\n                  \xe2\x80\xa2 ORD\xe2\x80\x99s letter did not discuss results of BOSC reviews on four research programs\n                     and one center in FY 2007 and 2008.3 Also, ORD\xe2\x80\x99s 2008 assurance letter did not\n                     mention completed NHEERL-relevant PART and BOSC reviews for two research\n                     programs.4 ORD said it incorporates BOSC review results \xe2\x80\x9cinto ORD management\n                     decision-making and into the criteria used for budget decisions and related\n                     documents." Several of these BOSC reviews addressed program management\n                     issues and could serve to demonstrate ORD\'s compliance with two GAO internal\n                     control standards (control activities and monitoring).\n                  \xe2\x80\xa2 ORD\'s letter did not mention GAO\xe2\x80\x99s April and May 2008 testimonial reports where\n                     GAO found that ORD\xe2\x80\x99s revised Integrated Risk Information System (IRIS) process\n                     did not respond to GAO\xe2\x80\x99s March 2008 report recommendations and further\n                     jeopardized IRIS database viability.5 In recommending that EPA not consider IRIS\n                     as a management challenge (in an attachment to its 2008 letter), ORD cited its\n                     revised IRIS process but did not elaborate on GAO\xe2\x80\x99s findings. ORD told us it\n                     disagreed when GAO first identified IRIS as a management challenge. However,\n                     ORD now agrees since GAO listed IRIS on its High Risk report.\n                  \xe2\x80\xa2 ORD only included performance measures on IRIS and the Human Health Risk\n                     Assessment program in its FY 2008 letter, excluding all other performance\n                     measures. ORD said OCFO\xe2\x80\x99s FY 2008 guidance did not require reporting on\n                     performance measures. However, the first page of the cover memo accompanying\n                     OCFO\xe2\x80\x99s FY 2008 guidance stated explicitly that FMFIA requires the Administrator\n                     to report on internal controls over programs, including performance measures.\n                     OMB Circular A-123 also specifies that agencies consider GPRA and PART\n                     requirements as part of their internal control structure. Consistent with this\n                     Circular, EPA Order 1000.24 specifies this same requirement.\n                  \xe2\x80\xa2 ORD\xe2\x80\x99s letter did not mention results of a National Academy of Sciences report\n                     issued in February 2008, Evaluating Research Efficiency in the U.S. Environmental\n                     Protection Agency, and NHEERL divisional peer reviews. In its FY 2008\n                     assurance letter, NHEERL described completing the Atlantic Ecology Division peer\n                     review and responding to the Mid-Continent Ecology Division\xe2\x80\x99s peer review. ORD\n                     excluded these significant NHEERL items from the FY 2008 ORD assurance letter.\n                     Our review of the Atlantic Ecology Division peer review report determined that it\n                     addressed three internal control standards (risk assessment, control activities, and\n                     monitoring).\n\n\n\n\n3\n  BOSC reviewed the Science and Technology for Sustainability Research Program, Human Health Risk\nAssessment Research Program, Particulate Matter/Ozone Research Program (mid-cycle), Endocrine Disrupting\nChemicals Research Program (mid-cycle), and the National Center for Environmental Research.\n4\n  These included the Ecological and Safe Pesticide/Safe Product Research Programs.\n5\n  IRIS provides toxic chemical assessment information to EPA\xe2\x80\x99s stakeholders.\n\n\n                                                     12\n\x0c                                                                                            09-P-0232\n\n\n           NHEERL and Office of Science Policy\n           \xe2\x80\xa2 NHEERL did not identify results of relevant BOSC reviews (reports issued in July\n              and August 2007) in which NHEERL\xe2\x80\x99s Gulf Ecology Division participated. Our\n              analysis found that these reviews identified issues relating to four internal control\n              standards and all five of NHEERL\'s self-identified risks.\n           \xe2\x80\xa2 NHEERL did not discuss the contents or results of a detailed Atlantic Ecology\n              Division peer review in its FY 2008 letter. NHEERL disclosed that it had completed\n              a peer review and that the committee issued a written report \xe2\x80\x9cwhich identifies\n              strengths and challenges and offers recommendations for improvement.\xe2\x80\x9d\n           \xe2\x80\xa2 ORD\xe2\x80\x99s Office of Science Policy, which manages BOSC efforts, listed in its FY 2008\n              assurance letter final reports completed for five research programs but did not\n              discuss report contents or results. The office included information on review\n              accomplishments, but this information only described the report title, procedural\n              activity (e.g., meeting, conference call), and final report. Additionally, its assurance\n              letter did not discuss a review strategy to systematically evaluate internal controls.\n          Source: OIG analysis.\n\n          ORD managers said the assurance letter \xe2\x80\x9cmust attest to the soundness of internal\n          controls for programs, functions, and financial activities\xe2\x80\x9d for labs and centers.\n          Completing a risk assessment and developing a review strategy would support\n          decisions regarding the relevance of these reviews and, as a result, determining\n          whether to include review results in the assurance letter. However, because they\n          did not conduct a formal risk assessment nor follow a systematic review strategy,\n          ORD, NHEERL, and the Office of Science Policy omitted from assurance letters\n          external review results pertinent to management integrity. We found review\n          results directly addressed GAO\xe2\x80\x99s five internal control standards. Such omissions\n          could impact the accuracy of information ORD reports in its assurance letters, and\n          may render invalid any assurance ORD makes as to the integrity of its programs.\n\nManagement Integrity Strategy Should Include Program Elements\n          As noted above, ORD has not developed a program review strategy to\n          systematically review and assess the effectiveness of internal control as required\n          by EPA Order 1000.24. ORD viewed FMFIA as an administrative exercise and\n          did not consider external program review results as relevant to its management\n          integrity approach. ORD has taken recent steps to develop a draft Multi-Year\n          Program Review Strategy \xe2\x80\x93 a requirement of OCFO\xe2\x80\x99s 2009 FMFIA guidance.\n          We commend ORD for developing a formal strategy and encourage ORD to\n          include specific details on how it plans to address strategy recommendations in\n          EPA Order 1000.24. In addition, per our second objective, we believe ORD\xe2\x80\x99s\n          strategy should also include information on its extensive peer review program as\n          well as best practices we identified from other public sources.\n\n          External Peer Program Reviews Conducted by ORD and NHEERL\n\n          ORD\xe2\x80\x99s Strategy should explain how it plans to use external program reviews\n          conducted by the Science Advisory Board, BOSC, peers, GAO, and OIG as\n          program management elements required by EPA Order 1000.24. ORD initiates\n\n\n                                              13\n\x0c                                                                                      09-P-0232\n\n\nprogram reviews at several levels within its complex matrix structure. ORD\xe2\x80\x99s\nstrategy should include a schedule for reviews and describe how ORD will use\nand report review results as part of its FMFIA process. Results of these reviews,\nin addition to other program evaluations, should form the basis for any assertions\nORD makes in its annual assurance letter to the Administrator. ORD should also\nevaluate the scope and frequency of external reviews. The potential impact of any\nrisk should include both quantitative and qualitative costs:\n\n      \xe2\x80\xa2     Quantitative costs include the cost of property, equipment, or inventory,\n            cash dollar loss, and damage and repair costs.\n      \xe2\x80\xa2     Qualitative costs include loss of public trust, loss of future funding,\n            increased legislation, violation of laws, not achieving organizational goals,\n            and decreased credibility. Such costs, while more difficult to assess, are\n            equally important.\n\nWe found that ORD identified completed peer reviews but did not discuss review\nresults. Figure 2.2 lists Science Advisory Board, BOSC, and divisional NHEERL\npeer reviews.\nFigure 2.2: Number of ORD Peer Reviews for 2007-2009\n\n\n                 1        *\n     2009                                              7\n                                                                     10\n\n\n\n                 1        *\n     2008                             4\n                                                       7\n\n\n\n                              3\n     2007                                                      8\n                                            5\n\n\n            0         2           4              6         8        10        12\n\n                                      SAB       BOSC   NHEERL\n\n    * Note: ORD suspended its divisional peer review program in 2008 and, instead,\n    initiated a pilot Management Systems Review (first in the Gulf Ecology Division\n    in 2008, and planned for the Mid-Continent Ecology Division in September 2009).\n    Source: Data provided by ORD during the course of field work.\n\nWe analyzed select program reviews and identified internal control aspects in\nquestions reviewers asked as well as review results and recommendations. While\neach review had different objectives, we found that several reports addressed, to\nvarying degrees, GAO\xe2\x80\x99s standards. Some examples include:\n\n\xe2\x80\xa2     In its mid-cycle review of the Global Change Research Program in September\n      2008, BOSC asked, \xe2\x80\x9cHow responsive has the Global Change Research Program\n\n\n\n                                            14\n\x0c                                                                             09-P-0232\n\n\n    been to the recommendations made in the April 2006 BOSC program review\n    report?\xe2\x80\x9d This question addresses the \xe2\x80\x9cmonitoring\xe2\x80\x9d internal control standard.\n\n\xe2\x80\xa2   In its review of the Human Health Risk Assessment Program in April 2008,\n    BOSC asked, \xe2\x80\x9cHow consistent are the Long Term Goals of the Program with\n    achieving the Agency\xe2\x80\x99s strategic plan and the Human Health Risk\n    Assessment\xe2\x80\x99s MYP (Multi-Year Plan)?\xe2\x80\x9d This question is similar to several\n    items GAO included in its Internal Control Management and Evaluation Tool\n    under the \xe2\x80\x9crisk assessment\xe2\x80\x9d heading.\n\nA risked-based strategy that prioritizes systematic reviews can help determine\nwhether there are redundancies in a program and the programs at greatest risk are\nbeing reviewed. ORD managers acknowledged they may have redundancies in\nthe peer reviews they conduct, and BOSC came to the same conclusion in a\nreport. In addition to the burden of being over-reviewed, ORD does not know if it\nfocuses reviews on the highest risk areas that warrant most attention.\n\nBest Practices ORD Could Implement\n\nWe identified several best practices on management integrity used at public\norganizations that ORD could use (with modifications) in its strategy:\n\n    \xe2\x80\xa2   The State of Minnesota\xe2\x80\x99s risk management plan provides an example of\n        steps that any risk assessment methodology should include. This plan,\n        shown in Table 2.3, becomes the overall basis for developing, evaluating,\n        and maintaining internal control.\n\n        Table 2.3: Elements of Minnesota\xe2\x80\x99s Risk Assessment Methodology\n         1. Identify risk.\n         2. Categorize risk.\n         3. Assess likelihood and effect.\n         4. Prioritize risks.\n         5. Develop a plan to reduce risks (response).\n         6. Document dates and actions taken to reduce risks.\n         7. Establish systematic reviews and track responses.\n         8. Control risk \xe2\x80\x93 use above process, update based on results, and revise.\n        Source: State of Minnesota\n\n\n    \xe2\x80\xa2   The Department of Defense requires its components to: (1) determine\n        high risk areas and establish written plans for testing those areas, and\n        (2) develop a written strategy for program reviews based on those risks.\n        The Defense Acquisition University identifies and describes risks by\n        reviewing strategic and other planning documents and communicating\n        with stakeholders to assess: (a) deliverables and work processes,\n        (b) milestones and schedule dates, (c) resource needs and sources, and\n        (d) performance requirements.\n\n\n\n\n                                     15\n\x0c                                                                                 09-P-0232\n\n\n         In addition, ORD could use GAO\xe2\x80\x99s Internal Control Management and Evaluation\n         Tool, which outlines steps for identifying, assessing, and analyzing\n         internal/external risks and effects. One step to identify internal risk factors\n         includes identifying \xe2\x80\x9cany potential risks due to a highly decentralized program\n         operation\xe2\x80\x9d \xe2\x80\x93 a step relevant to ORD given its matrix organization. We believe the\n         tool provides a sound starting point that offices can tailor as appropriate,\n         particularly since EPA Order 1000.24 affords program managers flexibility in\n         designing review strategies.\n\n         ORD could also conduct benchmarking similar to what it did on efficiency\n         measures for research organizations (see Chapter 1 \xe2\x80\x9cNoteworthy Achievements\xe2\x80\x9d).\n         ORD finds these organizations more analogous to it and could ask for\n         management integrity best practices these organizations apply. Also, four of eight\n         federal agencies we reviewed separate FMFIA into two tracks \xe2\x80\x93 a program track\n         and a financial track. ORD\xe2\x80\x99s Administrative Efficiencies Project workgroup has\n         recently considered developing a \xe2\x80\x9cscientific,\xe2\x80\x9d or programmatic, track, and ORD\n         should thoroughly consider this approach.\n\nConclusion\n         FMFIA requires federal managers to improve the accountability and effectiveness\n         of federal programs and operations by establishing, assessing, correcting, and\n         reporting on internal controls. Internal controls are key factors in achieving\n         agency missions and program results and improving accountability. We\n         recognize efforts ORD has made. However, ORD has several opportunities for\n         continued improvement. Through its proposed Multi-Year Program Review\n         Strategy, ORD could define elements of its training program, consider all\n         performance measures and peer review results for FMFIA reporting, and\n         incorporate internal control best practices. By doing this, ORD will better\n         accomplish FMFIA as intended \xe2\x80\x93 the umbrella under which ORD should form its\n         internal control framework.\n\nRecommendations\n         We recommend that the Assistant Administrator for Research and Development:\n\n         2-1    Conduct a risk assessment using the GAO internal control standard for\n                risk assessment and EPA Order 1000.24 and, based upon the results,\n                develop a comprehensive risk-based program review strategy.\n\n         2-2    Train managers and other management integrity staff on FMFIA and\n                internal controls. For senior managers, offer training designed to provide\n                an overall understanding on internal controls and a manager\xe2\x80\x99s\n                responsibilities under EPA Order 1000.24. For Management Integrity\n                Coordinators, offer training designed to describe how to implement and\n                report on internal controls.\n\n\n                                         16\n\x0c                                                                               09-P-0232\n\n\n\n\n         2-3    Revise the Management Integrity Policy to include programmatic\n                operations. The policy should include a role for National Program\n                Directors, integrate performance measures, reference current FMFIA\n                guidance, and include a training plan. The program should incorporate\n                public sector best practices and a two-track approach to address\n                administrative and programmatic elements.\n\n\nAgency Comments and OIG Evaluation\n         ORD agreed with our draft report findings and concurred with our\n         recommendations. ORD noted, and we agree, that the FMFIA process is not the\n         only opportunity to evaluate and report on research program performance, and\n         ORD\xe2\x80\x99s comments provided additional information on other activities it conducts.\n         ORD included in its report comments a table listing planned corrective actions\n         and completion dates to address our recommendations. We believe ORD\xe2\x80\x99s\n         planned corrective actions address the intent of each of our recommendations.\n         Appendix C includes ORD\xe2\x80\x99s full response.\n\n\n\n\n                                        17\n\x0c                                                                                                                                        09-P-0232\n\n\n\n                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                              POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                            BENEFITS (in $000s)\n\n                                                                                                                 Planned\n    Rec.    Page                                                                                                Completion    Claimed    Agreed To\n    No.      No.                          Subject                           Status1      Action Official           Date       Amount      Amount\n\n    2-1      16     Conduct a risk assessment using the GAO internal          O       Assistant Administrator   September\n                    control standard for risk assessment and EPA Order                  for Research and          2010\n                    1000.24 and, based upon the results, develop a                         Development\n                    comprehensive risk-based program review strategy.\n\n    2-2      16     Train managers and other management integrity staff       O       Assistant Administrator    Within 12\n                    on FMFIA and internal controls. For senior managers,                for Research and         months of\n                    offer training designed to provide an overall                          Development            course\n                    understanding on internal controls and a manager\xe2\x80\x99s                                          development\n                    responsibilities under EPA Order 1000.24. For\n                    Management Integrity Coordinators, offer training\n                    designed to describe how to implement and report on\n                    internal controls.\n\n    2-3      17     Revise the Management Integrity Policy to include         O       Assistant Administrator     January\n                    programmatic operations. The policy should include a                for Research and           2010\n                    role for National Program Directors, integrate                         Development\n                    performance measures, reference current FMFIA\n                    guidance, and include a training plan. The program\n                    should incorporate public sector best practices and a\n                    two-track approach to address administrative and\n                    programmatic elements.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                               18\n\x0c                                                                                                                   09-P-0232\n\n\n                                                                                                              Appendix A\n\n                              Organization of EPA ORD\nORD has facilities geographically located across the country, as shown in Figure A.1, with its\nheadquarters in Washington, DC, and main research facilities in Ohio and North Carolina.\n\n       Figure A.1: Location of ORD Labs, Centers, and Offices\n                              Corvallis, OR\n       Newport, OR                                      Duluth, MN       Cincinnati, OH\n                                                                                   Grosse lle, MI\n\n                                                                                                            Narragansett, RI\n\n                                                                                                     Edison, NJ\n\n                                                                                                    Washington, DC\n\n                                                                                                Research Triangle\n                                                                                                    Park, NC\n              Las Vegas, NV                                                                   Athens, GA\n\n\n                                     Ada, OK                     Gulf Breeze, FL\n       Source: ORD presentation to OIG in October 2008.\n\n\n\nFigure A.2 depicts ORD\xe2\x80\x99s matrix structure.\n       Figure A.2: ORD\xe2\x80\x99s Organizational Structure\n                                             Assistant Administrator                                          EPA Science Advisor\n             Chief of Staff              for Research and Development\n                                   Deputy Assistant Administrator for Management\n                                     Deputy Assistant Administrator for Science\n                                                                                                         Office of the Science Advisor\n\n\n\n            Office of              Office of              Office of                  National\n           Resources               Science                Science                    Program\n          Management                Policy              Information                  Directors\n              and                                      Management\n          Administration\n\n\n         National       National          National       National Risk       National         National         National          Office of\n        Exposure       Health and        Center for      Management         Center for       Homeland         Center for       Administrative\n        Research      Environmental    Environmental      Research        Environmental       Security      Computational      and Research\n        Laboratory       Effects        Assessment        Laboratory        Research         Research        Toxicology          Support\n                        Research                                                              Center\n                       Laboratory\n\n\n       Source: ORD (organizational chart as of April 2009).\n\n\n\n\n                                                          19\n\x0c                                                                                                       09-P-0232\n\n\nDescriptions of duties corresponding to ORD organizational components are in Table A.1.\n\nTable A.1: ORD Organizational Responsibilities\n Assistant         \xe2\x80\xa2 Signs ORD\xe2\x80\x99s annual FMFIA assurance letter.\n Administrator     \xe2\x80\xa2 Provides oversight and accountability for ORD\xe2\x80\x99s management integrity program\n for Research        and internal controls over program operations and financial reporting.\n and               \xe2\x80\xa2 Implements the internal control framework and fosters an organizational\n Development         environment that supports continuous awareness of internal controls at all levels.\n National          \xe2\x80\xa2 Responsible for Multi-Year Plans that establish priorities and goals.\n Program           \xe2\x80\xa2 Serve as primary contacts in PART reviews/GPRA measurement.\n Directors         \xe2\x80\xa2 Coordinate with BOSC regarding Multi-Year Plan program peer reviews.\n Lab, Center, and  \xe2\x80\xa2 Responsible for managing resources allocated to labs, centers, and offices to\n Office Directors    implement research in support of Multi-Year Plans.\n                   \xe2\x80\xa2 Sign annual FMFIA assurance letters for their labs, centers, and offices.\n Office of         \xe2\x80\xa2 Conduit between ORD\xe2\x80\x99s Assistant Administrator, OCFO, and ORD labs, centers,\n Resources           and offices for the assurance letter process, including developing and providing\n Management          management integrity guidance for the organization and consolidating annual\n and                 assurance letters for labs, centers, and offices into ORD\xe2\x80\x99s annual letter.\n Administration\nSource: ORD presentation to OIG, and OIG\xe2\x80\x99s February 2009 interviews with National Program Directors.\n\nORD has developed numerous Multi-Year Plans to administer key research programs and outline\nannual performance goals and associated measures. Multi-Year Plans provide an overview of\nthe direction of ORD\xe2\x80\x99s research, present significant research accomplishments, and communicate\nORD\'s research program to stakeholders. Key research programs include:\n\n         \xe2\x80\xa2     Clean Air                               \xe2\x80\xa2   Ecological Research\n         \xe2\x80\xa2     Human Health                            \xe2\x80\xa2   Water Quality\n         \xe2\x80\xa2     Human Health Risk Assessment            \xe2\x80\xa2   Global Change\n         \xe2\x80\xa2     Drinking Water                          \xe2\x80\xa2   Land\n         \xe2\x80\xa2     Pesticides and Toxic Substances\n               (Safe Pesticides/Safe Products)\n\nSeveral years ago, ORD began to focus on the importance of independently confirming that it\nconducts the right science and does it well. Concurrently, OMB indicated, in conjunction with\nPART, the importance of independent expert reviews of federal research programs. ORD\ninstituted BOSC reviews of its programs and aligned them to meet the structure of PART. In\n2006, to improve its external review process and better ensure the relevancy and credibility of its\nresearch programs and science, ORD developed three specific charge questions for use in\nBOSC\xe2\x80\x99s summary assessment of each research program\xe2\x80\x99s long-term goals:\n\n          1. Relevance: How appropriate is the research used to achieve each long-term goal?\n             Is the program still asking the right questions, or have they been superseded by\n             advancements in the field?\n          2. Quality: How good is the technical quality of the program\xe2\x80\x99s research products?\n          3. Performance: How much are the program results being used by environmental\n             decision-makers to inform decisions and achieve results?\n\n\n\n\n                                                      20\n\x0c                                                                                       09-P-0232\n\n\n                                                                                   Appendix B\n\n                 Details on Scope and Methodology\nWe conducted our audit to determine how ORD implements FMFIA. During our audit, we\nidentified concerns with ORD\xe2\x80\x99s implementation of internal control standards prescribed by the\nComptroller General as required by Section 2 of FMFIA. Our findings only address ORD\xe2\x80\x99s\nimplementation of Section 2 of FMFIA (internal control over programs), and not Section 4\n(financial accounting systems) or Appendix A of OMB\xe2\x80\x99s Circular A-123 (internal control over\nfinancial reporting). Our audit focused on ORD\xe2\x80\x99s headquarters office, in Washington, DC, and\nits NHEERL facilities in Raleigh, North Carolina, and Corvallis and Newport, Oregon.\nNHEERL is ORD\xe2\x80\x99s largest laboratory in terms of its budget and number of personnel employed.\n\nTo address our first objective on whether ORD had a systematic strategy to establish, review,\nand monitor internal controls, we did the following:\n\n   \xe2\x80\xa2   Gathered and analyzed FMFIA regulations, policies, and guidance related to GAO\xe2\x80\x99s\n       Standards for Internal Control in the Federal Government, and OMB Circular A-123.\n   \xe2\x80\xa2   Gathered and analyzed EPA and ORD policies, procedures, guidance documents, and\n       budget data related to FMFIA implementation, including EPA Order 1000.24.\n   \xe2\x80\xa2   Attended briefings by ORD managers regarding ORD\xe2\x80\x99s organization, resource\n       utilization, annual planning, approach to FMFIA implementation, systematic strategy for\n       reviewing internal controls, near- and long-term laboratory studies, and the review\n       process used by BOSC.\n   \xe2\x80\xa2   Conducted site visits to five NHEERL facilities (three collocated in Raleigh, North\n       Carolina, and one each in Corvallis and Newport, Oregon) and attended briefings on\n       organization, resource utilization, annual planning, and FMFIA implementation. (Site\n       visits in Raleigh also included tours of several other ORD laboratories.)\n   \xe2\x80\xa2   Reviewed ORD\xe2\x80\x99s, NHEERL\xe2\x80\x99s, and ORD\xe2\x80\x99s Office of Science Policy FMFIA assurance\n       letters to determine whether they addressed all five GAO standards as specified in\n       OCFO\xe2\x80\x99s FY 2008 guidance. We also reviewed letters to determine whether ORD and\n       NHEERL documented and used program review results to establish and assess the\n       effectiveness of internal controls.\n   \xe2\x80\xa2   Participated in OCFO conference calls and interviewed OCFO staff to understand the\n       FMFIA process, particularly concerns regarding programmatic review elements.\n   \xe2\x80\xa2   Interviewed ORD\xe2\x80\x99s seven Management Integrity Coordinators and their supervisors, and\n       ORD\xe2\x80\x99s eight National Program Directors about roles and responsibilities in implementing\n       ORD\xe2\x80\x99s FMFIA process, focusing on FMFIA time and training requirements and needs.\n   \xe2\x80\xa2   Developed summary working papers on each set of interviews to obtain quantitative data.\n   \xe2\x80\xa2   Identified and analyzed program reviews of ORD research programs for FY 2007 and\n       2008 to determine the extent review questions, results, and recommendations addressed\n       the five GAO standards.\n   \xe2\x80\xa2   Conducted interviews with ORD and NHEERL staff and managers on reasons for including\n       and excluding certain information from the assurance letter development process.\n\n\n\n\n                                               21\n\x0c                                                                                      09-P-0232\n\n\nTo address our second objective on what ORD\'s internal control strategy should contain to\naccount for risks in meeting program goals, we did the following:\n\n   \xe2\x80\xa2   Flowcharted ORD\xe2\x80\x99s calendar of external reviews to determine the number of reviews\n       conducted annually.\n   \xe2\x80\xa2   Benchmarked FMFIA assurance letters and policies used by other federal agencies to\n       determine best practices ORD could use in its own systematic strategy.\n   \xe2\x80\xa2   Conducted follow-up interviews with OCFO staff on their understanding of the internal\n       control review strategy as required by EPA Order 1000.24.\n   \xe2\x80\xa2   Reviewed internal control review strategies from other EPA program offices.\n   \xe2\x80\xa2   Benchmarked other sample risk assessment methodologies available on-line and\n       reviewed how others established controls based upon the Council of Sponsoring\n       Organizations requirements. We also contacted GAO for sample methodologies.\n   \xe2\x80\xa2   Obtained and reviewed ORD\xe2\x80\x99s draft strategy to determine any improvement areas and/or\n       whether it affected our strategy recommendations.\n   \xe2\x80\xa2   Determined the effect of not developing a review strategy by documenting the\n       relationship between EPA Order 1000.24 and OCFO assurance letter guidance,\n       determining how assurance letters could have referenced prior internal/external reviews\n       to demonstrate compliance with internal control standards, and reviewing\n       internal/external reviews and how ORD and NHEERL might redirect review resources.\n\nWe did not find any prior audits or evaluations of ORD\xe2\x80\x99s implementation of FMFIA.\n\n\n\n\n                                              22\n\x0c                                                                                       09-P-0232\n\n\n                                                                                   Appendix C\n\n                  Agency Response to Draft Report\n                                     September 4, 2009\n\n\nMEMORANDUM\n\n\nSUBJECT:      ORD Response to OIG Draft Report EPA\xe2\x80\x99s Office of Research and Development\n              Could Better Use the Federal Managers\xe2\x80\x99 Financial Integrity Act to Improve\n              Operations Project No. OA-FY08-0323\n\nFROM:         Lek G. Kadeli/s/\n              Acting Assistant Administrator (8101R)\n\nTO:           Patrick Gilbride\n              Director, Risk and Program Performance Audits (801G)\n\n        This memorandum responds to the Office of Inspector General (OIG) draft audit report,\nEPA\xe2\x80\x99s Office of Research and Development Could Better Use the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act (FMFIA) to Improve Operations (Project No. OA-FY08-0323), dated August 6,\n2009. The recommendations provided in the report will help the Office of Research and\nDevelopment (ORD) continue to improve its FMFIA process.\n\n        As the scientific research and assessment arm of EPA, ORD maintains a strong\nmanagement integrity program that systematically reviews and assesses the effectiveness of\ninternal controls consistent with GAO Standards and OMB Circular A-123. As required by the\nFederal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA), we annually evaluate our internal controls\nover programs and administrative systems and provide assurance on the integrity of our controls.\nORD is committed to ensuring that our science is of the highest quality, our programs are\nmanaged effectively and efficiently, and that we aggressively prevent fraud, waste, and abuse.\n\n        In contrast to the report\xe2\x80\x99s conclusion, the FMFIA process is not the only \xe2\x80\x9copportunity to\nevaluate and report on research program performance.\xe2\x80\x9d As you correctly noted in the report,\nORD has \xe2\x80\x9cfocused on the importance of independently confirming that it conducts the right\nscience and does it well.\xe2\x80\x9d ORD instituted a strategic multi-year planning process to guide the\ndirection of ORD\xe2\x80\x99s research to focus on EPA\'s highest priority needs for science and promote\ncoordination of research across laboratories, centers and offices to achieve its goals. ORD has\nengaged other agencies and scientific experts in an effort to determine the most effective\napproach(es) to evaluate and measure the efficiency of its research programs through reviews by\nBoard of Scientific Counselors, Science Advisory Board, and the National Academy of Sciences;\nquality assurance programs, which include peer reviews and self inspections; and Government\nAccountability Office and OIG audits. Thus far in FY 2009, more than 70 reviews of ORD\n\n\n\n                                               23\n\x0c                                                                                       09-P-0232\n\n\nprograms, functions and operations have been completed. Based on the results of these reviews,\nwe are continually improving the science and research we provide to the Agency.\n\n       The OIG provides three recommendations to strengthen ORD\xe2\x80\x99s FMFIA process. In\ngeneral we agree with the recommendations and I am pleased to say that ORD has been actively\nworking on revisions to its FMFIA process. ORD will continue to include information in its\nassurance letter that it deems to be of significant importance to the Administrator. ORD remains\ncommitted to management integrity and maintaining effective internal controls throughout our\norganization.\n\n        Attached please find: (1) our response to each of the three recommendations contained in\nthe draft report and 2) a summary table of ORD\xe2\x80\x99s corrective actions and associated projected\ncompletion dates. If you have any questions, please contact me or Deborah Heckman at (202)\n564-7274.\n\nAttachment\n\ncc: Donna Vizian\n    Hal Zenick\n    Amy Battaglia\n    Jim Morant\n    Deborah Heckman\n\n\n\n\n                                               24\n\x0c                                                                                      09-P-0232\n\n\n               ORD Response to OIG Recommendations Contained in Draft Report\n\n                 \xe2\x80\x9cEPA\xe2\x80\x99s Office of Research and Development Could Better Use the\n                 Federal Managers\xe2\x80\x99 Financial Integrity Act to Improve Operations\xe2\x80\x9d\n                                   Project No. OA-FY08-0323\n                                         August 6, 2009\n\nRecommendation 2-1 - Conduct a risk assessment using the GAO internal control standard for\nrisk assessment and EPA Order 1000.24 and, based upon the results, develop a comprehensive\nrisk-based program review strategy.\n\nResponse: ORD generally agrees with this recommendation.\n\nRecognizing the complexity of conducting a comprehensive risk assessment6 for a research\norganization, ORD is developing an ORD-wide approach to the risk assessment. By December\n2009, ORD senior leaders will be designated to serve on ORD Executive Assessment Team\n(ORDEAT) to: ensure consistency in ORD\xe2\x80\x99s corporate approach to internal controls; review\ninternal control information in order to make corporate decisions; concur on the ORD three-year\nprogram and management review schedule; and make recommendations to the DAA for\nManagement and AA regarding the ORD high risk areas. By August 2010, ORD will review its\nprocesses, test key internal controls related to ORD activities, and assess programmatic and\nadministrative risks. By September 2010, after completing the risk assessment activities, ORD\nwill revise its multi-year program review strategy as necessary.\n\nRecommendation 2-2 - Train managers and other management integrity staff on FMFIA and\ninternal controls. For senior managers, offer training designed to provide an overall\nunderstanding on internal controls and a manager\xe2\x80\x99s responsibilities under EPA Order 1000.24.\nFor Management Integrity Coordinators, offer training designed to describe how to implement\nand report on internal controls.\n\nResponse: ORD generally agrees with this recommendation.\n\nORD is committed to training managers and employees involved with administering ORD\xe2\x80\x99s\nmanagement integrity program. However, OCFO agreed to \xe2\x80\x9ccomplete development of an\nAgency-wide strategy for comprehensive, tiered FMFIA training by the end of fiscal year 2009\xe2\x80\x9d\nin its July 16, 2009 response to the OIG draft audit report titled EPA Should Use FMFIA to\nImprove Programmatic Operations (Project No. 08-FY08-0323). In order not to duplicate\nOCFO\xe2\x80\x99s efforts, ORD will collaborate with OCFO on developing and implementing an Agency-\nwide training program which ensures compliance with FMFIA and proper reporting of internal\ncontrols. ORD will assess the applicability of the newly developed training for senior ORD\nmanagers and, if necessary, initiate additional course development. ORD will then ensure that\nits managers and integrity staff are trained within 12 months of completion of the course\ndevelopment.\n\n\n\n6\n    As defined by GAO Standards for Internal Control in The Federal Government\n\n\n                                                        25\n\x0c                                                                                      09-P-0232\n\n\nRecommendation 2-3 - Revise the Management Integrity Policy to include programmatic\noperations. The policy should include a role for National Program Directors, integrate\nperformance measures, reference current FMFIA guidance, and include a training plan. The\nprogram should incorporate public sector best practices and a two-track approach to address\nadministrative and programmatic elements.\n\nResponse: ORD generally agrees with this recommendation.\n\nBy January 2010, ORD will revise the ORD Management Integrity Policy to include\nprogrammatic operations, appropriate integration of performance measures and outcomes and\nreference current FMFIA guidance. As recommended, ORD will devise a two-track approach to\naddress administrative and programmatic elements as required by GAO and Agency guidance.\nThe new policy will define the roles of management and will include National Program Directors\nresponsibilities or other matrix managers we may have in the future under ORD\xe2\x80\x99s programmatic\noperations. The Management Integrity Policy will reference Agency training requirements for\nall managers and ORD integrity staff.\n\n\n\n\n                                               26\n\x0c                                                                                                         09-P-0232\n\n\n                      ORD Corrective Actions and Projected Completion Dates\n\nRec.         OIG Recommendation                   Lead                   ORD Corrective Action                  Planned\nNo.                                           Responsibility                                                   Completion\n                                                                                                                 Date\n       Conduct a risk assessment using the      Assistant       ORD is currently finalizing a strategy that     September\n       GAO internal control standard for      Administrator     examines and reports on internal controls         2010\n       risk assessment and EPA Order          for Research      covering programmatic and administrative\n       1000.24 and, based upon the results,        and          operations and financial activities. Once\n2-1    develop a comprehensive risk-based     Development       finalized, ORD\xe2\x80\x99s multi-year program\n       program review strategy                                  review strategy will help ORD identify\n                                                                high-risk areas, detect weaknesses and\n                                                                deficiencies, and identify best practices in\n                                                                our internal controls.\n       Train managers and other                 Assistant                                                       Within 12\n       management integrity staff on          Administrator                                                     months of\n       FMFIA and internal controls. For       for Research      Collaborate with OCFO                            Course\n       senior managers, offer training             and                                                         Development\n       designed to provide an overall         Development\n       understanding on internal controls\n2-2    and a manager\xe2\x80\x99s responsibilities\n       under EPA Order 1000.24. For\n       Management Integrity\n       Coordinators, offer training\n       designed to describe how to\n       implement and report on internal\n       controls.\n       Revise the Management Integrity          Assistant       ORD will revise the ORD Management             January 2010\n       Policy to include programmatic         Administrator     Integrity Policy to include programmatic\n       operations. The policy should          for Research      operations, a definition of the National\n       include a role for National Program         and          Program Directors\xe2\x80\x99 role in the process and\n       Directors, integrate performance       Development       integration of performance measures and\n       measures, reference current FMFIA                        outcomes.\n2-3\n       guidance, and include a training\n       plan. The program should\n       incorporate public sector best\n       practices and a two-track approach\n       to address administrative and\n       programmatic elements\n\n\n\n\n                                                           27\n\x0c                                                                              09-P-0232\n\n\n                                                                            Appendix D\n\n                                    Distribution\nOffice of the Administrator\nActing Assistant Administrator, Office of Research and Development\nAgency Follow-up Official (CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nAudit Follow-up Coordinator, Office of Research and Development\nAudit Follow-up Coordinator, Office of the Chief Financial Officer\nActing Inspector General\n\n\n\n\n                                             28\n\x0c'